The Evolution of Multifactor Authentication

According to Android Authority, Google has started to test a password-free authentication method that offers a novel way of signing into accounts. The process requires the account holder to enter their username onto their computer and then respond to a separate yes-or-no notification pushed to their smartphone.

This two-device form of authentication potentially allows users to live password-free lives while protecting against hacking attempts, and is expected to be made available for Android and iOS devices.

The new method would be an upgrade from single-factor authentication (SFA) and two-factor authentication, which are currently used. SFA combines the input of a username and password (which belong to the same authentication factor despite being two separate fields), and is the classic method of logging in. It's remained the most common form of verification thanks to its low cost, ease of implementation and familiarity, but attackers frequently breach such security systems.

However, two-factor authentication has been known to increase security, and Android, BlackBerry and iOS have apps supporting the method. Some of these employ biometric measures, utilizing fingerprint sensors, facial recognition, iris scanning or voice recognition. Some use location information as an additional confidence factor, triggering the need for additional credentials if the account holder's smartphone and PC aren't close by.

Android's current Smart Lock feature uses trusted locations, devices or biometrics for easier device access. Users can bypass entering a PIN or pattern to unlock their handset if it's within a certain zone or close to a predefined companion device like a Bluetooth-enabled watch or laptop.

Google's Authenticator process, which is already available, employs a two-step method that provides a single-use passcode with each login. A user is still required to enter their username and password, but is also prompted to give the one-time passcode that's either pushed to their phones in response to the login process or generated by the Authenticator app. The six-digit password is valid for 30 to 60 seconds, and serves to prove possession as a verification factor.

Smartphones offer several options for two-factor authentication, allowing companies to choose what best suits them. The process is similar to that used by many banks, enterprises and governments for secure logins, recognizing the modern reality that people are rarely separated from their phones. Google explains that this new method combines "something you know (your password) and something you have (a code sent to your phone)".

Yahoo launched a similar authentication system in October 2015 that used push notifications. Google's new system is a work in progress and the company's latest attempt to reduce reliance on passwords, which are considered one of the weakest links in a security chain.

This is another step in making the smartphone an essential rather than a convenience. Handsets are playing a role in security — from car keys to code generators to credit cards — and mobile platforms must become more secure. Passwords will be around for some time to come, but companies are looking to move beyond the norm.